C H A P T E R  3

Initial Configuration

This chapter describes the steps required to initialize and configure an SSL proxy blade for use in a network environment. This setup procedure assumes that the SSL proxy blade has already been installed according to the previous installation instructions and all relevant network cables are connected.

This chapter contains the following sections:

Initializing the SSL Proxy Blade

To use the SSL proxy blade, it must be initialized with required information using the blade console, which is accessible through the Sun Fire B1600 system controller. Once the SSL proxy blade has been initially configured, it can be managed through Telnet.

procedure icon  To Initialize the SSL Proxy Blade

1. Gather the required information.

When the SSL proxy blade is powered on for the first time, you must set the values for the parameters listed in TABLE 3-1 before the device can operate correctly. Use the empty value column as a worksheet.

TABLE 3-1 Worksheet of Values for the SSL Proxy Blade Initialization

Parameter Name





SSL proxy blade


Name for the SSL proxy blade for administration purposes.

Management (admin) IP address


IP address for administration by means of Telnet.

Administration port netmask


Netmask for the local administration subnet.

Default gateway


IP address of the gateway in the local subnet.

Security officer password



Initial security officer password. Should be changed by the security officer.

Management VLAN



This parameter must be set based on your network setup.

Traffic ports





Secure/clear portpair



TCP port numbers for secure/clear client traffic.




If you have no certificates, then you can create a key and generate a signing request. For simplicity, in this setup we will create a self-signed certificate.




RSA private key that can be used to generate a certificate request or a self-signed certificate.

Services IP addresses



Each service supports a server. To set up the services, you need the IP address of each HTTP server for which the SSL proxy blade should process SSL traffic.

2. Set up the SSL proxy blade.

a. Log on to the SSL proxy blade.

When the SSL Proxy blade console is accessed, the Login: prompt displays after the boot process completes.

# telnet B1600_sc_ip-addr
sc> console Sn
Login: so

Where n is the slot number for the SSL proxy blade.

Note - For initial setup you must be logged in as the security officer (so).

After validating the user and password the command prompt should now be displayed: CLI#

b. Change the security officer password with the command:

 CLI# set password 

For more information about user access and privileges see the User Access.

c. Run the setup command.

After logging in for the first time you need to run the setup command before setting any configuration information. The setup command prompts you for the required information listed above.

CLI# setup
Enter secure port (https) (443): 
Enter clear port (http) (880): 
Change the password:
Enter login password: 
Enter new password: 
Re-enter new password: 
Password changed.
    Setup has completed successfully.
    You should add keys and services to complete the configuration.
    To save the configuration enter: config save

The setup command configures the blade for the first time. You can use specific commands to change the initial parameters later.

3. Verify that the blade is connected.

a. To verify connectivity, ping any host on the same subnet from the SSL proxy blade. The ping should report the host to be alive.

CLI# ping ip-addr
PING from 56 data bytes
64 bytes from icmp_seq=0 ttl=255 time=0 ms
--- ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms
    host is alive.

Note - In the previous command the IP address (ip-addr) must be entered as a numeric IP address and not a hostname.

b. To verify Telnet, use Telnet to connect to the SSL proxy blade.

This option allows you to continue the setup process from a local area network.

procedure icon  To Create Keys and Certificates

Before the SSL proxy blade can process SSL traffic, the keys and certificates must be installed.

See Keys and Certificates for more information on the import and create commands.

1. Create a key.

CLI# create key keyname 					
Enter key strength (1024): 512|1024|2048
Key keyname generated. 

2. Create a certificate.

You may create a self-signed certificate for a temporary certificate used for testing purposes and internal use.

CLI#  create certificate 
Enter key name: keyname
Enter country (US): abbreviated_country
Enter state or province (CA): abbreviated_state
Enter locality (Company Town): town_name
Enter common name (www.company-name.com): www1.my-company.com
Enter organization (Company Name): my_company_name
Enter organization unit (Company Unit): department
Enter email address (support@company-name.com): email@company_name.domain
Certificate generated. 

Or, you may create a certificate request then export it from the SSL proxy blade to be sent to a certificate authority for signing.

CLI# create certrequest
Enter key name: keyname
Enter country (US): abbreviated_country
Enter state or province (CA): abbreviated_state
Enter locality (Company Town): town_name
Enter common name (www.company-name.com): www1.my-company.com
Enter organization (Company Name): my_company_name
Enter organization unit (Company Unit): department
Enter email address (support@company-name.com): email@company_name.domain
Certificate generated. 

3. Hand off this certificate request to a certificate authority. Use this certificate authority to generate the certificate. After receiving the signed certificate from the certificate authority, use the following import certificate command or import ftp|tftp certificate commands to import the certificate into the system.

CLI# import tftp certificate

4. Export the certificate request.

CLI# export ftp certrequest
Enter key name: keyname
Enter remote file name (certificate-request.txt):
Enter remote path (/home/b10puser):
Enter remote IP Address: (
Enter remote user name (b10b10puser):
Enter remote user password:****
    connecting and writing [/home/b10puser/certificate-request.txt] to
    Sent: [729] bytes
    Certificate signing request exported.

procedure icon  To Create Services for the Servers

After the certificates have been installed, you can create services for each server. The services enable the SSL proxy blade to process SSL traffic.

single-step bulletCreate a service:

CLI# create service
Enter service name: new_servicename
Enter key name: keyname
Enter server IP Address: ( server_ip-addr
Enter cipher (export/best/optional/high/medium/low) (best): cipher
Enter portpair number (1..4) (1): 1
Service new_servicename created. 

See Services for a full explanation of service settings.

procedure icon  To Verify and Save the Configuration

1. Use the show config or show all commands to display the current SSL proxy blade configuration.

CLI# show all
    port 1:
      management (admin) IP:
      management (admin) netmask:
      management (admin) gateway:
    port 2:
      management (admin) IP:
      management (admin) netmask:
      management (admin) gateway:
... ...
portpair 1:
      secure port:     443
      clear port:      880
    portpair 2:
      secure port:     0
      clear port:      0
    portpair 3:
      secure port:     0
      clear port:      0
    portpair 4:
      secure port:     0
      clear port:      0
... ...

Other configuration information can be displayed using the commands described in TABLE 3-2.

2. Save the configuration as permanent.

CLI# config save 

When you log out you will be reminded if the configuration has not been saved and given an option to cancel the logout. Configuration changes that are not saved will be lost if the SSL proxy blade is rebooted. The command config compare can determine if the configuration in memory is different than the permanent configuration stored in flash.

3. Verify and start processing.

Note - Browsers have preloaded recognized CA certificates. Thus, with self-signed certificates as used in this example, a browser will not recognize the CA and issues a warning.

a. Check version and feature of the stored software.

b. Use the following CLI# commands to display important information about the SSL proxy blade configuration.

TABLE 3-2 Commands to Display Configuration Information



show portpair

Shows all TCP port settings

show all

Shows all system information

show config

Shows all system information

show snmp

Shows the SNMP agent

show service

Shows all current services

show log

Shows logging config. information

show stats

Shows statistics

show features

Shows software license information

show version

Shows software version

show boot

Shows release version information

show state

Shows various system settings

show link

Shows inband port link settings

show interface

Shows inband interface settings

These and other show commands are described in detail in Appendix G.

c. Start processing.

After adding certificates, services, and configuring the Sun Fire B10n content load balancing blade, you can start the SSL proxy blade using the start command. The start command is used to start the SSL proxy blade processing SSL traffic.

CLI# start 

4. Exit the CLI interface.

After the setup process is finished, and the SSL proxy blade is successfully processing traffic, use the logout command to exit the command-line interface. You can also exit the CLI by typing the following:
